freeradius.postinst [plain text]
#! /bin/sh
set -e
update_fs_from_statoverride() {
type=$1
user=$2
group=$3
mode=$4
file=$5
if [ -n "$type" -a -n "$group" -a -n "$mode" -a -n "$file" ]; then
if [ "$(find $file -maxdepth 0 -type $type -group $group -perm $mode)" = "" -a -$type $file ]; then
chgrp $group $file
chmod $mode $file
fi
fi
}
handle_config_files() {
runmode=$1
for file in /etc/freeradius/preproxy_users \
/etc/freeradius/policy.conf \
/etc/freeradius/eap.conf \
/etc/freeradius/experimental.conf \
/etc/freeradius/huntgroups \
/etc/freeradius/proxy.conf \
/etc/freeradius/attrs.pre-proxy \
/etc/freeradius/hints \
/etc/freeradius/sql.conf \
/etc/freeradius/ldap.attrmap \
/etc/freeradius/attrs \
/etc/freeradius/policy.txt \
/etc/freeradius/attrs.accounting_response \
/etc/freeradius/attrs.access_reject \
/etc/freeradius/attrs.access_challenge \
/etc/freeradius/clients.conf \
/etc/freeradius/acct_users
do
set +e
so=$(dpkg-statoverride --list $file)
ret=$?
set -e
case "$runmode" in
initial)
if [ $ret != 0 ]; then
dpkg-statoverride --add --update root freerad 0640 $file
fi
;;
upgrade)
update_fs_from_statoverride f $so
;;
esac
done
for dir in /etc/freeradius/certs \
/etc/freeradius/sites-available \
/etc/freeradius/sites-enabled
do
set +e
so=$(dpkg-statoverride --list $dir)
ret=$?
set -e
case "$runmode" in
initial)
if [ $ret != 0 ]; then
dpkg-statoverride --add --update freerad freerad 2751 $dir
fi
;;
upgrade)
update_fs_from_statoverride d $so
;;
esac
done
}
case "$1" in
configure)
if [ -z "$2" ]; then
update-rc.d freeradius start 50 2 3 4 5 . stop 19 0 1 6 . >/dev/null
if ! dpkg-statoverride --list /var/run/freeradius >/dev/null; then
dpkg-statoverride --add --update freerad freerad 0755 /var/run/freeradius
fi
if ! dpkg-statoverride --list /var/log/freeradius >/dev/null; then
dpkg-statoverride --add --update freerad freerad 0750 /var/log/freeradius
fi
for file in radius.log radwtmp; do
[ ! -f "/var/log/freeradius/${file}" ] && install -o freerad -g freerad -m 644 /dev/null /var/log/freeradius/${file}
done
handle_config_files initial
action="start"
else
handle_config_files upgrade
action="restart"
fi
if [ -z "$2" ] || dpkg --compare-versions "$2" lt 2.0.4+dfsg-4; then
for site in default inner-tunnel; do
if [ ! -e /etc/freeradius/sites-enabled/$site ]; then
ln -s ../sites-available/$site /etc/freeradius/sites-enabled/$site
fi
done
fi
if [ -z "$2" ] || dpkg --compare-versions "$2" lt 2.1.8+dfsg-1; then
if egrep -q '^[ ]*\$INCLUDE eap.conf' /etc/freeradius/radiusd.conf && \
egrep -q '^[ ]*certdir = \${confdir}/certs' /etc/freeradius/eap.conf && \
egrep -q '^[ ]*cadir = \${confdir}/certs' /etc/freeradius/eap.conf
then
echo "Updating default SSL certificate settings, if any..." >&2
test -d /etc/freeradius/certs || mkdir /etc/freeradius/certs
if test ! -e /etc/ssl/certs/ssl-cert-snakeoil.pem || \
test ! -e /etc/ssl/private/ssl-cert-snakeoil.key
then
make-ssl-cert generate-default-snakeoil
fi
if egrep -q '^[ ]*certificate_file = \${certdir}/server.pem' /etc/freeradius/eap.conf && \
test ! -f /etc/freeradius/certs/server.pem
then
serverpem=wasnotthere
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/freeradius/certs/server.pem
fi
if ( egrep -q '^[ ]*private_key_file = \${certdir}/server.pem' /etc/freeradius/eap.conf && \
[ "$serverpem" = "wasnotthere" ] ) \
|| \
( egrep -q '^[ ]*private_key_file = \${certdir}/server.key' /etc/freeradius/eap.conf && \
test ! -f /etc/freeradius/certs/server.key )
then
ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/freeradius/certs/server.key
sed -i -e 's,^\([ ]*private_key_file = \${certdir}\)/server.pem$,\1/server.key,' /etc/freeradius/eap.conf
if getent group ssl-cert >/dev/null; then
adduser --quiet freerad ssl-cert
fi
fi
if egrep -q '^[ ]*CA_file = \${cadir}/ca.pem' /etc/freeradius/eap.conf && \
test ! -f /etc/freeradius/certs/ca.pem
then
ln -s /etc/ssl/certs/ca-certificates.crt /etc/freeradius/certs/ca.pem
fi
if egrep -q '^[ ]*random_file = \${certdir}/random' /etc/freeradius/eap.conf && \
test ! -f /etc/freeradius/certs/random
then
sed -i -e 's,^\([ ]*random_file = \)\${certdir}/random$,\1/dev/urandom,' /etc/freeradius/eap.conf
fi
if egrep -q '^[ ]*dh_file = \${certdir}/dh' /etc/freeradius/eap.conf && \
test ! -f /etc/freeradius/certs/dh
then
openssl dhparam -out /etc/freeradius/certs/dh 1024
fi
fi
fi
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d freeradius $action || true
else
/etc/init.d/freeradius $action
fi
;;
abort-upgrade)
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d freeradius restart || true
else
/etc/init.d/freeradius restart
fi
;;
abort-remove)
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d freeradius start || true
else
/etc/init.d/freeradius start
fi
;;
abort-deconfigure)
;;
esac
exit 0